All Apps and Add-ons

Is PowerShell natively supported by the Universal Forwarder or do we need to install the add-on ?

sylbaea
Communicator

Hello,

I have a need to execute PowerShell scripts as modular inputs. I am bit confused about the native support for that.

On one hand, I am under the impression it is supported out of the box by Windows UF when I read this:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowsdatawithPowerShellscripts

On the other hand, there a dedidcated add-on available:
https://splunkbase.splunk.com/app/1477

Is it mandatory to deploy this add-on ? Or is it only required for specific scenario ?

Regards.

0 Karma
1 Solution

rjthibod
Champion

Powershell is supported out of the box with the Splunk Universal Forwarder. The second link for the add-on is in addition to the basic capabilities.

In general, the minimum design pattern to run a Powershell script is to create an app/add-on for the Splunk UF, and in the app you should have a stanza in inputs.conf that looks like this
[script://.\bin\<FILENAME>.path]

In the "bin" folder of your app you would have a script called .path and its contents would be a single line to call your actual ".ps1" file in the same "bin" folder. My ".path" file contains the following:

$SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -command " &'$SPLUNK_HOME\etc\apps\<MY_APP>\bin\<FILENAME>.ps1'"

View solution in original post

0 Karma

rjthibod
Champion

Powershell is supported out of the box with the Splunk Universal Forwarder. The second link for the add-on is in addition to the basic capabilities.

In general, the minimum design pattern to run a Powershell script is to create an app/add-on for the Splunk UF, and in the app you should have a stanza in inputs.conf that looks like this
[script://.\bin\<FILENAME>.path]

In the "bin" folder of your app you would have a script called .path and its contents would be a single line to call your actual ".ps1" file in the same "bin" folder. My ".path" file contains the following:

$SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -command " &'$SPLUNK_HOME\etc\apps\<MY_APP>\bin\<FILENAME>.ps1'"

View solution in original post

0 Karma

matthewroberson
Path Finder

The documentation here says: "This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.1.0, 7.1.1, 7.1.2 " Are they meaning the version of Splunk on the Universal Forwarder or the version of Splunk on the server. In other words, if I have a Universal Forwarder running version 6.2.1, does that mean I need to deploy the Powershell add-on to that forwarder to be able to run a powershell script?

0 Karma

sloshburch
Ultra Champion

Yea, I too am confused because I really thought it used to declare itself not necessary (on the app entry or docs) but I don't see that. It doesn't include anything rich within props.conf so it's not looking like a necessity for knowledge object enrichment either.

0 Karma

sylbaea
Communicator

Thanks for your answer.

So what kind of additional capabilities can we expect from this add-on ?

0 Karma

rjthibod
Champion

I think it is mostly intended to be a Splunk management tool. It allows you to configure, control, and query Splunk controls and data from powershell. It is kind of like an API or SDK for Splunk for Powershell.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!